...and we'll achieve cyber superiority with the space alien technology we've been hiding at Area 51

Good grief, who wrote the president’s speech today? His new cybersecurity proposal includes this urban legend:

“…and that in other countries cyber attacks have plunged entire cities into darkness…”

I and other experts bashed this urban legend more than a year ago. Now I’ve got President 2.0 spouting it as if it’s a fact.

It’s an urban legend because no one knows any details whatsoever. To be specific:

Who plunged entire cities into darkness with the click of a mouse? No one knows.

When did these cyber-terrorists plunge entire cities into darkness with the click of a mouse? No one knows.

Where are these cities that plunged into darkness with the click of a mouse? No one knows.

Why did the cyber-terrorists plunge these cities into darkness with the click of a mouse? No one knows.

How widespread were these cyber-terror blackouts? No one knows.

Whose power grid Internet connection did the cyber-terrorists exploit? No one knows.

How many victims perished in these cyber-attacks? No one knows.

What did it cost to clean up after these cyber-terror attacks? No one knows.

Does Interpol want to extradite a U.S. citizen so he can stand trial on charges of cyber-terrorism? No one knows.

Listen to me, folks. Cyber fearmongers crave this kind of information. They crave it like a drug. And yet none of the cyber fearmongers has ever come forward to say “this city got hit on this date by this terror group using clandestine funds from this nation for this purpose, plunging this many people into darkness and killing this many hospital patients who lost power to their life support systems.”

It’s an urban legend, folks. It doesn’t make it any more real when it flows from the lips of the president of the United States…

I probably should have read part one before parts 2 and 3 of this article, but I do have a question. You mentioned in part 2 that government intelligence officials have lacked data and appropriate computations regarding the prevalence and cost of cyber-terrorism and cyber-security. Obama, Clinton and past Presidents have used faulty intelligence information to push agendas. My question, though, is how much do you think cyber-terrorism/security affects and costs the United States annually? Should we be paying more attention to it, not necessarily through fear mongering, but rather through indepth and accurate analysis and understanding? Perhaps it is the fear mongering, but I do feel that as we progress further into a global, digital environment, there is a need for cyber-security. Do I agree with Obama and his numbers on this issue? Not at all, I feel as if its a tactic to push agenda rather than really focusing on what should be done about it. I’m just curious to see how you feel about the core of the issue beyond Obama’s blunder.

::My question, though, is how much do you
::think cyber-terrorism/security affects
::and costs the United States annually?

Great question, Charley! Before I answer it, let me stress that while the “inside experts” claim they DO know the true scope of your question … I insist they DON’T know the true scope. Extraordinary claims require extraordinary evidence, which we lack. The inside experts tell the public they can’t divulge the truth because Osama bin Laden will use the knowledge to destroy the United States. Everything the public does know, overwhelmingly points to hyperbole and hysteria. So the skeptics say “stop crying wolf” and the inside experts say “we’re Cassandras, you just wait and see.”

So. How much does it cost? Skeptical expert Bruce Schneier describes the cost as a “terrorism tax,” similar to the Cold War tax although much more directly extracted from every American’s pocketbook.

I myself engage in hyperbole when I say “I honestly believe the cyber-terror tax exceeds its return on investment.” Why, then, would I let the inside experts turn on me to demand “what evidence supports your belief”? Because I can then respond “well, you’re the only one here who can give our audience the evidence they need to disbelieve me. But you won’t cough up any evidence for scrutiny, will you?”

Still, it doesn’t answer your question. So let’s make a (somewhat invalid) comparison. “Rob, did we spend too much on the Y2K hysteria?” The answer is “businessmen spent the right amount, but if they spent it in fear, then they spent the right amount for the wrong reason.” A college-level logic course will teach you that, given a chocie, you’d rather spend the wrong amount for the right reason, than spend the right amount for the wrong reason. Terrorism of any sort is simply a matter of risk; the money you spend to mitigate it (repeat “mitigate”) is essentially an insurance bet. (Professional poker players understand this logic as the “expected value of a hand.” Pros would rather lose a hand for the right reason than win a hand for the wrong reason.)

::Should we be paying more attention to it,
::not necessarily through fear mongering,
::but rather through indepth and accurate
::analysis and understanding?

Yes. And I think the government should do it. Sadly, their research remains highly overclassified even by the government’s own admission.

But it’s even worse than most experts realize, and we can expose it with a simple observation. We know the U.S. military analyzes the attacks it gets each day — knowledge that remains completely out of reach to airmen & soldiers who would use the info to defend their home networks. It’s valid to assume major intelligence agencies both friendly (e.g. Israel) and hostile (e.g. North Korea) target the home networks of career officers & sergeants who habitually take FOUO and (yes!) classified info home to work on it after duty hours. Military analysis would at least yield a realtime blackhole list, yet the knowledge goes to waste on home networks where it would prove particularly useful.

I forget who once said “analysis that cannot be obtained is analysis that does not exist.” The military’s (public) release of a realtime blackhole list would do wonders in the realm of information protection. But they don’t release it … so it doesn’t exist for those who could benefit from it.